Firewall Wizards mailing list archives

Re: tcpdump installation on unix firewall?

From: Robert Graham <robert_david_graham () yahoo com>
Date: Fri, 27 Aug 1999 17:43:13 -0700 (PDT)

--- Andreas.Bolatzki () ch danzas com wrote:

Do you consider it an utterly bad idea to install a packet sniffer on a
firewall.


I do this. I don't use 'tcpdump', though.

Why would I want to do this?
Perhaps you know this already: If sth. is not working it's either the
firewall or the network.
I need a tool to proove what's going on... Badly performing server, find out
what normal traffic is for an application (data volume, traffic profile for
one request....) and more of this kind.


More to the point: Firewalls tend to log only rejected packets. However, if you
want to study attacks or have evidence around that can be used to prosecute
people, you really need to have the entire packets, not just processed header
info.

Does it interfere with the FW-1 software?


Probably not. However, it can slow down the system. A better solution would be
to set up a separate system logging the packets "promiscuously", monitoring the
same wire as the firewall, but not actually installed on the firewall.



===
Robert Graham
"Anxiously awaiting the millenium so I can start programming
dates with 2-digits again."
__________________________________________________
Do You Yahoo!?
Bid and sell for free at http://auctions.yahoo.com

Current thread:

tcpdump installation on unix firewall? Andreas . Bolatzki (Aug 27)
- Re: tcpdump installation on unix firewall? Matt Curtin (Aug 30)
- Re: tcpdump installation on unix firewall? Siglite (Aug 30)
- <Possible follow-ups>
- Re: tcpdump installation on unix firewall? Robert Graham (Aug 30)
  - Re: tcpdump installation on unix firewall? Lance Spitzner (Aug 31)
- Re: tcpdump installation on unix firewall? Peter J. Cherny (Aug 30)
- RE: tcpdump installation on unix firewall? jan . schultheiss (Aug 30)
- RE: tcpdump installation on unix firewall? Mason Begley (Aug 31)